[Sandbox] Reduce entitlements granted by default
Since App Store approval decided these suddenly matter. Signed-off-by: Christopher Snowhill <kode54@gmail.com>swiftingly
parent
a35459719d
commit
8b7418857d
|
@ -9,14 +9,8 @@
|
||||||
</array>
|
</array>
|
||||||
<key>com.apple.security.app-sandbox</key>
|
<key>com.apple.security.app-sandbox</key>
|
||||||
<true/>
|
<true/>
|
||||||
<key>com.apple.security.assets.movies.read-only</key>
|
|
||||||
<true/>
|
|
||||||
<key>com.apple.security.assets.music.read-only</key>
|
|
||||||
<true/>
|
|
||||||
<key>com.apple.security.cs.allow-jit</key>
|
<key>com.apple.security.cs.allow-jit</key>
|
||||||
<true/>
|
<true/>
|
||||||
<key>com.apple.security.files.downloads.read-only</key>
|
|
||||||
<true/>
|
|
||||||
<key>com.apple.security.files.user-selected.read-write</key>
|
<key>com.apple.security.files.user-selected.read-write</key>
|
||||||
<true/>
|
<true/>
|
||||||
<key>com.apple.security.network.client</key>
|
<key>com.apple.security.network.client</key>
|
||||||
|
|
|
@ -24,35 +24,6 @@
|
||||||
@property(nonatomic) NSURL *_Nullable url;
|
@property(nonatomic) NSURL *_Nullable url;
|
||||||
@end
|
@end
|
||||||
|
|
||||||
static NSURL *containerDirectory(void) {
|
|
||||||
NSString *path = [@"~" stringByExpandingTildeInPath];
|
|
||||||
return [NSURL fileURLWithPath:path];
|
|
||||||
}
|
|
||||||
|
|
||||||
// XXX this is only for comparison, not "escaping the sandbox"
|
|
||||||
static NSURL *pathEscape(NSString *path) {
|
|
||||||
NSString *componentsToRemove = [NSString stringWithFormat:@"Library/Containers/%@/Data/", [[NSBundle mainBundle] bundleIdentifier]];
|
|
||||||
NSRange rangeOfMatch = [path rangeOfString:componentsToRemove];
|
|
||||||
if(rangeOfMatch.location != NSNotFound)
|
|
||||||
path = [path stringByReplacingCharactersInRange:rangeOfMatch withString:@""];
|
|
||||||
return [NSURL fileURLWithPath:path];
|
|
||||||
}
|
|
||||||
|
|
||||||
static NSURL *defaultMusicDirectory(void) {
|
|
||||||
NSString *path = [NSSearchPathForDirectoriesInDomains(NSMusicDirectory, NSUserDomainMask, YES) lastObject];
|
|
||||||
return pathEscape(path);
|
|
||||||
}
|
|
||||||
|
|
||||||
static NSURL *defaultDownloadsDirectory(void) {
|
|
||||||
NSString *path = [NSSearchPathForDirectoriesInDomains(NSDownloadsDirectory, NSUserDomainMask, YES) lastObject];
|
|
||||||
return pathEscape(path);
|
|
||||||
}
|
|
||||||
|
|
||||||
static NSURL *defaultMoviesDirectory(void) {
|
|
||||||
NSString *path = [NSSearchPathForDirectoriesInDomains(NSMoviesDirectory, NSUserDomainMask, YES) lastObject];
|
|
||||||
return pathEscape(path);
|
|
||||||
}
|
|
||||||
|
|
||||||
@interface PathItem : NSObject
|
@interface PathItem : NSObject
|
||||||
@property(nonatomic, strong) NSString *path;
|
@property(nonatomic, strong) NSString *path;
|
||||||
@property(nonatomic) BOOL enabled;
|
@property(nonatomic) BOOL enabled;
|
||||||
|
@ -99,12 +70,6 @@ static NSURL *defaultMoviesDirectory(void) {
|
||||||
|
|
||||||
if(!results || [results count] < 1) return;
|
if(!results || [results count] < 1) return;
|
||||||
|
|
||||||
NSURL *defaultMusic = defaultMusicDirectory();
|
|
||||||
NSURL *defaultDownloads = defaultDownloadsDirectory();
|
|
||||||
NSURL *defaultMovies = defaultMoviesDirectory();
|
|
||||||
|
|
||||||
NSURL *container = containerDirectory();
|
|
||||||
|
|
||||||
id sandboxBrokerClass = NSClassFromString(@"SandboxBroker");
|
id sandboxBrokerClass = NSClassFromString(@"SandboxBroker");
|
||||||
|
|
||||||
NSMutableArray *items = [[NSMutableArray alloc] init];
|
NSMutableArray *items = [[NSMutableArray alloc] init];
|
||||||
|
@ -125,7 +90,8 @@ static NSURL *defaultMoviesDirectory(void) {
|
||||||
// Add other system paths to this setting
|
// Add other system paths to this setting
|
||||||
NSString *fileTreePath = [[NSUserDefaults standardUserDefaults] stringForKey:@"fileTreeRootURL"];
|
NSString *fileTreePath = [[NSUserDefaults standardUserDefaults] stringForKey:@"fileTreeRootURL"];
|
||||||
if(fileTreePath && [fileTreePath length]) {
|
if(fileTreePath && [fileTreePath length]) {
|
||||||
[array addObject:[NSURL URLWithString:fileTreePath]];
|
// Append false name to dodge the directory/fragment trimmer
|
||||||
|
[array addObject:[NSURL URLWithString:[fileTreePath stringByAppendingPathComponent:@"moo.mp3"]]];
|
||||||
}
|
}
|
||||||
|
|
||||||
NSString *soundFontPath = [[NSUserDefaults standardUserDefaults] stringForKey:@"soundFontPath"];
|
NSString *soundFontPath = [[NSUserDefaults standardUserDefaults] stringForKey:@"soundFontPath"];
|
||||||
|
@ -135,14 +101,7 @@ static NSURL *defaultMoviesDirectory(void) {
|
||||||
|
|
||||||
for(NSURL *fileUrl in array) {
|
for(NSURL *fileUrl in array) {
|
||||||
NSURL *url = [sandboxBrokerClass urlWithoutFragment:fileUrl];
|
NSURL *url = [sandboxBrokerClass urlWithoutFragment:fileUrl];
|
||||||
if([sandboxBrokerClass isPath:url aSubdirectoryOf:defaultMusic] ||
|
if([sandboxPathBehaviorController matchesPath:url])
|
||||||
[sandboxBrokerClass isPath:url
|
|
||||||
aSubdirectoryOf:defaultDownloads] ||
|
|
||||||
[sandboxBrokerClass isPath:url
|
|
||||||
aSubdirectoryOf:defaultMovies] ||
|
|
||||||
[sandboxBrokerClass isPath:url
|
|
||||||
aSubdirectoryOf:container] ||
|
|
||||||
[sandboxPathBehaviorController matchesPath:url])
|
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
NSArray *pathComponents = [url pathComponents];
|
NSArray *pathComponents = [url pathComponents];
|
||||||
|
|
|
@ -17,40 +17,6 @@
|
||||||
|
|
||||||
#import "PlaylistController.h"
|
#import "PlaylistController.h"
|
||||||
|
|
||||||
static NSURL *_containerDirectory = nil;
|
|
||||||
static NSURL *_defaultMusicDirectory = nil;
|
|
||||||
static NSURL *_defaultDownloadsDirectory = nil;
|
|
||||||
static NSURL *_defaultMoviesDirectory = nil;
|
|
||||||
|
|
||||||
static NSURL *containerDirectory(void) {
|
|
||||||
NSString *path = [@"~" stringByExpandingTildeInPath];
|
|
||||||
return [NSURL fileURLWithPath:path];
|
|
||||||
}
|
|
||||||
|
|
||||||
// XXX this is only for comparison, not "escaping the sandbox"
|
|
||||||
static NSURL *pathEscape(NSString *path) {
|
|
||||||
NSString *componentsToRemove = [NSString stringWithFormat:@"Library/Containers/%@/Data/", [[NSBundle mainBundle] bundleIdentifier]];
|
|
||||||
NSRange rangeOfMatch = [path rangeOfString:componentsToRemove];
|
|
||||||
if(rangeOfMatch.location != NSNotFound)
|
|
||||||
path = [path stringByReplacingCharactersInRange:rangeOfMatch withString:@""];
|
|
||||||
return [NSURL fileURLWithPath:path];
|
|
||||||
}
|
|
||||||
|
|
||||||
static NSURL *defaultMusicDirectory(void) {
|
|
||||||
NSString *path = [NSSearchPathForDirectoriesInDomains(NSMusicDirectory, NSUserDomainMask, YES) lastObject];
|
|
||||||
return pathEscape(path);
|
|
||||||
}
|
|
||||||
|
|
||||||
static NSURL *defaultDownloadsDirectory(void) {
|
|
||||||
NSString *path = [NSSearchPathForDirectoriesInDomains(NSDownloadsDirectory, NSUserDomainMask, YES) lastObject];
|
|
||||||
return pathEscape(path);
|
|
||||||
}
|
|
||||||
|
|
||||||
static NSURL *defaultMoviesDirectory(void) {
|
|
||||||
NSString *path = [NSSearchPathForDirectoriesInDomains(NSMoviesDirectory, NSUserDomainMask, YES) lastObject];
|
|
||||||
return pathEscape(path);
|
|
||||||
}
|
|
||||||
|
|
||||||
static SandboxBroker *kSharedSandboxBroker = nil;
|
static SandboxBroker *kSharedSandboxBroker = nil;
|
||||||
|
|
||||||
@interface SandboxEntry : NSObject {
|
@interface SandboxEntry : NSObject {
|
||||||
|
@ -69,7 +35,6 @@ static SandboxBroker *kSharedSandboxBroker = nil;
|
||||||
@property NSInteger refCount;
|
@property NSInteger refCount;
|
||||||
|
|
||||||
- (id)initWithToken:(SandboxToken *)token;
|
- (id)initWithToken:(SandboxToken *)token;
|
||||||
- (id)initWithStaticURL:(NSURL *)url;
|
|
||||||
@end
|
@end
|
||||||
|
|
||||||
@implementation SandboxEntry
|
@implementation SandboxEntry
|
||||||
|
@ -84,17 +49,6 @@ static SandboxBroker *kSharedSandboxBroker = nil;
|
||||||
return obj;
|
return obj;
|
||||||
}
|
}
|
||||||
|
|
||||||
- (id)initWithStaticURL:(NSURL *)url {
|
|
||||||
SandboxEntry *obj = [super init];
|
|
||||||
if(obj) {
|
|
||||||
obj->_refCount = 1;
|
|
||||||
obj->_secureUrl = nil;
|
|
||||||
obj->_token = nil;
|
|
||||||
obj->_path = [url path];
|
|
||||||
}
|
|
||||||
return obj;
|
|
||||||
}
|
|
||||||
|
|
||||||
- (NSInteger)refCount {
|
- (NSInteger)refCount {
|
||||||
return _refCount;
|
return _refCount;
|
||||||
}
|
}
|
||||||
|
@ -193,22 +147,6 @@ static SandboxBroker *kSharedSandboxBroker = nil;
|
||||||
- (SandboxEntry *)recursivePathTest:(NSURL *)url {
|
- (SandboxEntry *)recursivePathTest:(NSURL *)url {
|
||||||
SandboxEntry *ret = nil;
|
SandboxEntry *ret = nil;
|
||||||
|
|
||||||
static dispatch_once_t onceToken;
|
|
||||||
dispatch_once(&onceToken, ^{
|
|
||||||
_containerDirectory = containerDirectory();
|
|
||||||
_defaultMusicDirectory = defaultMusicDirectory();
|
|
||||||
_defaultDownloadsDirectory = defaultDownloadsDirectory();
|
|
||||||
_defaultMoviesDirectory = defaultMoviesDirectory();
|
|
||||||
});
|
|
||||||
|
|
||||||
NSArray *urls = @[_containerDirectory, _defaultMusicDirectory, _defaultDownloadsDirectory, _defaultMoviesDirectory];
|
|
||||||
|
|
||||||
for(NSURL *checkUrl in urls) {
|
|
||||||
if([SandboxBroker isPath:url aSubdirectoryOf:checkUrl]) {
|
|
||||||
return [[SandboxEntry alloc] initWithStaticURL:checkUrl];
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
NSPersistentContainer *pc = [SandboxBroker sharedPersistentContainer];
|
NSPersistentContainer *pc = [SandboxBroker sharedPersistentContainer];
|
||||||
|
|
||||||
NSSortDescriptor *sortDescriptor = [NSSortDescriptor sortDescriptorWithKey:@"path.length" ascending:NO];
|
NSSortDescriptor *sortDescriptor = [NSSortDescriptor sortDescriptorWithKey:@"path.length" ascending:NO];
|
||||||
|
|
Loading…
Reference in New Issue